BLOG

Chips in the armor: PEN or Vulnerability Testing?

Chips in the armor: PEN or Vulnerability Testing?

Reports of hacking bank information, dating websites and even the 2016 presidential campaign have not only contributed to high levels of paranoia for businesses but driven them to consider testing their own networks and firewalls for any possible security breaches.

The only problem is choosing between doing PEN testing, vulnerability testing or both.

Making the choice can be difficult for organizations unversed in the differences between the two tests. PEN testing and vulnerability testing have been mistakenly labeled as the same because of some conflicting reports and marketing missteps.

Before signing that dotted line and making the final decision, it is important for your organization to think critically about what its goals are. Do you want to know how hackers can get into your organization's firewall or an in-depth evaluation of your network’s security profile?

The first step to answering these questions lies in how far you are willing to go to validate your cyber security.

Key differences between PEN and Vulnerability testing

NSK Business Development Associate Monica DeStefano spoke about some of the key differences between PEN and vulnerability testing.

Penetration testing often referred to as PEN testing, is composed of concentrated attacks on a company’s firewall by a third party that aims to find vulnerabilities that a hacker might exploit. In doing so, this would give the company a chance to respond to a hypothetical attack on its firewall.

SANS Institute wrote in a 2006 report on the subject that “the goal of a penetration test is to increase the security of the computing resources being tested.” Think of it as a dog trying to find a hole under a fence that it can use to wiggle under and break out into the wilderness.

Vulnerability testing, on the other hand, gives an evaluation of a company’s security profile, detailing some weaknesses and providing procedures that will either eliminate them or lower them to “an acceptable level of risk,” as SecureWorks writes.

The test will assign value and importance to each of the resources and will catalog the assets for a company’s convenience.

Vulnerability testing is often named "vulnerability analysis" or also a "vulnerability assessment."

Money, Money, Money

A vulnerability test is done by IT teams like NSK and the project can cost anywhere from $3,000.00 upwards based on the size of an organization’s network, according to DeStefano. That seems to be a steep price to pay for a firewall evaluation.

"These specialized companies aren’t cheap and employ people who were actual hackers – with a ridiculous amount of knowledge," says DeStefano.

You may think that you are saving big when you spring for a cheaper PEN test, but if it is done incorrectly you risk spending more to patch up the holes.

Do they still sound pretty similar?

Let us break that down for you.

PEN testing is goal-oriented and uses a narrower focus than vulnerability testing does. It looks for specific chips in the armor of a firewall and tries to squeeze past those so the deficiencies in the firewall can be reported.

Because the focus of PEN testing can be so specific, sometimes their reports can become obsolete because of updates in the system. If a program updates often, the PEN testing report that was done on Monday may not hold ground by Tuesday.

In contrast, vulnerability testing prioritizes listing and data analysis. By collecting information about a company’s firewall, vulnerability testers can assess the threat level. Vulnerability testing utilizes a much wider scope than PEN testing and can give the big picture report about a company’s firewall.

Vulnerability testing is extremely thorough. It will include charts, graphs, scans and report scores in order to gauge a company's cybersecurity level. It can also provide reports on who has access to certain files, NMAP scans and just about anything that a company might need to know about how secure its information really is.

What do we think?

NSK, Inc. recommends that you utilize a vulnerability test. It is more thorough than a PEN test would be and will inform you of the most pressing issues facing your cybersecurity.

NSK will use non-invasive methods to perform security and vulnerability scans on your company's firewall.

As Vice President of Professional Services Ryan Hickey says, "We review the results of the scans and produce reports that will be provided to our clients and explained in detail. The results will establish a security baseline and point out where vulnerabilities may be present on the network."

This is also often the only test you need.

A PEN test is helpful for knowing how a hacker might get into your firewall, but it may leave noticeable gaps out of the report -- and out of mind for someone else to exploit.

The most vulnerable companies to attack are small-to-medium sized ones, because the information they have is extremely important to them. Attackers will come in through an opened door, hold that information hostage and charge hundreds of thousands of dollars.

You might want to be more worried about an employee accidentally letting an attacker into the firewall than an anonymous hacker squeezing through some holes. A vulnerability test asks if the staff has the education that they need in order to keep the firewall secure.

"Education is power. Teaching your staff what is a good email and what is a bad one – on top of taking the necessary precautions, can make the threat of cyber attack very small," says DeStefano.